Re: False Positive

Mark Buchanan wrote:
> Ok, I took a look at the packet and this is what I found.  First,
> while the offset is 5 and that is where Snort started looking, the
> depth to look was 15.  The |04 00| sequence was found at 5 (offset) +
> 13/14.  The |04 00| combination was actually found in the Request ID
> field of the packet as apposed to the Community string.
> 
> With that said and after reading a little of the snmp_api.h code from
> ucd-snmp, I wonder if you could do set this sig to a depth of 2.

This would be vulnerable to a false negative. Any larger ASN.1 sequence
will cause byte at offset 1 to change into a series of bytes, which
shifts the rest of the payload rightward.

> It appears that the 5 + 2 byte is the length of the community string,
> allowing for a community string of 0 - 255 characters.  The first
> digit (5 + 1), I didn't find a reference to.

0x04 = OCTET STRING

Cheers,
nnposter


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl